This invention in general relates to authenticating sessions for interacting with online systems and more specifically to authenticating sessions based on mobile devices used for interacting with the online system.
User accounts of online systems get compromised when user credentials are stolen by unauthorized users. For example, illegitimate users resort to phishing to obtain confidential information from users, such as user names, passwords, account numbers and the like, by pretending to be legitimate online entities. A fraudulent website presents a look and feel that is almost identical to a legitimate website that may be a popular and trusted website. Unsuspecting users who are unaware that they are interacting with a fraudulent website provide sensitive information to the fraudulent website. The fraudulent website obtains the user name and password of the user and can subsequently use it for unauthorized access to the online system.
Once a user account is compromised, the unauthorized user has access to the account and can misuse the account for illegitimate purposes. The unauthorized user may be able to post messages using the account, get access to sensitive user information such as credit card numbers, social security numbers, or date or birth and even execute financial transactions, if allowed by the online system. Damages from these unauthorized account access can include stealing of information as well as substantial financial losses.
Online systems attempt to prevent credentials from being stolen and user accounts from getting compromised. For example, online systems can require users to use passwords that cannot be guessed easily and also require users to change passwords on a regular basis. Some online systems require enhanced authentication procedures, for example, by requesting the user to identify an image preselected by the user. Once a user's account has become compromised, however, online systems must try to prevent or limit the damage caused by unauthorized account access by determining whether a user session is legitimate or is from an unauthorized person who obtained a user's account information unlawfully. It is preferred that the online system detect early if a session is created by an unauthorized person in order to limit the damage that can be caused by the person.